Generating profiles for specific users and groups

You can automatically generate profiles for specific users and groups by enabling group policies in a Group Policy Object for a domain, site, or organizational unit in an Active Directory forest or by specifying configuration settings on individual computers.

Rights required for this task

You must have an account with root permission to modify agent configuration files on managed computers or an administrative account with write permission to enable group policies on a Group Policy Object linked to a domain or organizational unit.

Who should perform this task

A Windows or UNIX administrator performs this task, depending on your organization’s policies. In most cases, a Windows administrator is responsible for configuring group policies and modifying Group Policy Objects. If your organization uses local configuration settings, the UNIX administrator is usually responsible for this task.

Steps for completing this task using group policies

In most cases, you should use group policies in a Group Policy Object to identify the Active Directory users and groups for which you want to automatically generate profiles. The Group Policy Object enables you to centrally manage access to computers in the Auto Zone. You can enable and configure the following group policies to specify a subset of Active Directory users and groups that should have access to computers in Auto Zone:

  • Specify AD users allowed in Auto Zone
  • Specify groups of AD users allowed in Auto Zone
  • Specify AD groups allowed in Auto Zone

The following instructions illustrate how to limit the valid users and groups in the Auto Zone using these group policy settings.

Steps for completing this task using configuration parameters

In some cases, you might want to limit the Active Directory users and groups who have a profile generated by configuring parameters in the centrifydc.conf file on individual computers. For example, you might want to use configuration parameter settings if you don’t want to implement or apply group policies on certain computers.

You can configure the following configuration parameters to specify a subset of Active Directory users and groups that should have access to computers in Auto Zone:

  • auto.schema.allow.users
  • auto.schema.allow.groups
  • auto.schema.groups

The following instructions illustrate how to limit the valid users and groups in the Auto Zone using these configuration parameters settings.